Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
04/01/2024, 20:04
Static task
static1
Behavioral task
behavioral1
Sample
41ca1001b6d5be576633500f1e794509.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
41ca1001b6d5be576633500f1e794509.exe
Resource
win10v2004-20231222-en
General
-
Target
41ca1001b6d5be576633500f1e794509.exe
-
Size
285KB
-
MD5
41ca1001b6d5be576633500f1e794509
-
SHA1
f1003a000136a9c6bb02022e0c5500bcb4db7326
-
SHA256
74e23e30cecb8d4af291612797235edd36bf1b18f901e9e2b80d600b2f1f55e4
-
SHA512
b4d389fa4e2d250de576442b3ccdb354840c3548439ef4c1ab527e51f037dad85ab6f8bb72e5d07649da5e7e1dc7a664656c8118ce4ed95a95ceee183c901652
-
SSDEEP
6144:/cWESPHaaBrjy1VPFy4ujGfEubV0iQXwGchKMEaPmsnExsz9a9:kaSaF27dyrjG8uZoXXkj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 220 svchusts.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\svchusts.exe 41ca1001b6d5be576633500f1e794509.exe File opened for modification C:\Windows\SysWOW64\svchusts.exe svchusts.exe File created C:\Windows\SysWOW64\svchusts.exe 41ca1001b6d5be576633500f1e794509.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\uninstal.bat 41ca1001b6d5be576633500f1e794509.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1608 41ca1001b6d5be576633500f1e794509.exe Token: SeDebugPrivilege 220 svchusts.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1608 wrote to memory of 3788 1608 41ca1001b6d5be576633500f1e794509.exe 91 PID 1608 wrote to memory of 3788 1608 41ca1001b6d5be576633500f1e794509.exe 91 PID 1608 wrote to memory of 3788 1608 41ca1001b6d5be576633500f1e794509.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\41ca1001b6d5be576633500f1e794509.exe"C:\Users\Admin\AppData\Local\Temp\41ca1001b6d5be576633500f1e794509.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat2⤵PID:3788
-
-
C:\Windows\SysWOW64\svchusts.exeC:\Windows\SysWOW64\svchusts.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:220
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5a38faa4d20e63f8064437a792442df25
SHA14214541f1bb3e52f53763ecd52e0b72575b9c4e8
SHA256f27c476f4d17121c2282e28d357e5acd973c8cb9bf7f30b3f8738c7a75f41a7f
SHA512124078cf268124c605c456386261694f933e31b87217d73ae34ef8bbff6293dc8dd3569cfc81b7995628688d0b77d283106ba7484461007d92a4ce8f4321c430
-
Filesize
67KB
MD5cc7570108231f30116a3daca5f931769
SHA15c47115a764ef43aba9eeed57ff81b84cc834877
SHA2560314193d1140023aa2197243f24e50bad472920f79e761525ae35cddaaa77ab5
SHA5123e826596b5c400c00a3b9ff71fed6bcfa1c97b3b6c4432351303b0d650e9b8f77a01b58eba8df3948b215880c03729325e562b7fea38daa1bc340e3bc0c0e5f0
-
Filesize
190B
MD5aeb1cf086f514a37508d3643c81441fc
SHA1f7efa5a5577b98cb50a76f6ba14faeaeaf4f0fa4
SHA25696bccf38fc90f7eb56ed2357dc43f6aad36058ee192591526974b6dc2354e326
SHA512cdad85d9637734ac4dc30885afccb8bc940144ef174ba9da948816d376060facfefbc07dc516af6a3e9d54c8f862a9589096a9746311efc9a724391a99743c1d